Re: E-mail Address in WEB Browser

• To: mogens@mjosa.stanford.edu
• Subject: Re: E-mail Address in WEB Browser
• From: Larry Masinter <masinter@parc.xerox.com>
• Date: Sun, 17 Dec 1995 21:01:36 PST
• CC: robertm@teleport.com, heling@virtu.sar.usf.edu, www-security@ns2.rutgers.edu
• Fake-Sender: masinter@parc.xerox.com
• In-reply-to: Christian Mogensen's message of Thu, 14 Dec 1995 15:32:26 -0800 <199512142332.PAA19199@Mjosa.Stanford.EDU>

> Actually, there is nothing that says a FORM result must be submitted 
> through a HTTP request.  Using <FORM ACTION="mailto:..."> is perfectly
> legal HTML, since mailto:... is a well defined URL.  On the other
> hand there is nothing that guarantees it will work either. 

RFC 1867,  Form-based File Upload in HTML, defines a new media type
(multipart/form-data) which is more appropriate for return of form
information in mail than application/x-www-form-urlencoded.

It's not clear to me why the security considerations for forms
returned by mail and forms returned by HTTP are very different.

One of the (several) reasons RFC 1867 is classified as 'experimental'
is that the 'Security Considerations' section was considered weak. If
you have suggestions on what other security considerations should be,
I'd like to hear them.

• Enterprise Security CFP
• From: alsalqan@cerc.wvu.edu (Yahya Alsalqan)

• Re: E-mail Address in WEB Browser
• From: Christian Mogensen <mogens@Mjosa.Stanford.EDU>

• Previous: Re: Internet Tunnel Question
• Next: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• Index(es):
  • Index
  • Thread